“IOWA”: A Response to Cyber Intrusions

April 25, 2019

By: Frank Harty

When it comes to cyber intrusion, it’s often said, two types of businesses exist: those that have been victims and those that will be victims. A wise client focuses on preparation and prevention. But even the best of defenses are sometimes breached. That is why it is important to prepare for an intrusion.


Experience tells us that a cyber intrusion response plan should address a number of things that can be summarized with the acronym IOWA:

Intervene to stop intrusion
Organize recovery and return to operations
Weed out weaknesses to be eliminated
Analyze and pursue gaps and wrongdoers


A readiness checklist fleshes out the actions related to the four overall concepts:

  • Interface security issues
    1. Is a security framework in place (NIST, COBIT, CSA)?
    2. Is someone “in charge” of security?
    3. Is a process in place to audit security and respond to a potential breach?
    4. Is there a process for identifying and responding to security issues?
  • Hardware and Infrastructure
    1. Are industry standards met?
    2. Are assets audited and scanned on a regular basis?
    3. Are audit result logs maintained?
    4. Do audits aim to meet regulatory requirements?
    5. Are there adequate internal firewalls in place (between zones)?
    6. Is there a security parameter (DMZ) for outside technologies?
  • Data Security
    1. Will you separate and segregate data?
    2. Is any data stored in a foreign country?
    3. Are there limits on the ability to log in remotely?
    4. Are written data management policies in place?
    5. Is data classified?
    6. Are wireless network controls in use?
  • Disaster Recovery
    1. Is a disaster recovery plan in place?
    2. Is it updated regularly?
    3. Is it “real” or just a decoy?
  • Incident Response
    1. Is a comprehensive security incident response plan and checklist in place?
    2. Will the plan create legally admissible forensic data collection?
    3. Are law enforcement and regulatory contacts maintained?
    4. Are effective monitoring tools in place (host and network intrusion detection—IDS)?
    5. Is a customer notification system in place?
  • Confidentiality
    1. Is data encrypted in transit?
    2. Is data encrypted while static?
    3. Is a third-party encryption provider used?
    4. Is a document protection policy in place?
    5. How are subpoenas responded to?
  • Human Resource Issues
    1. Is access limited? How?
    2. Are downloading controls in place?
    3. Is security training provided?
    4. Are systems in place designed to monitor privacy breaches?
    5. Are adequate password protocols in place (minimum length, history, complexity, age)?
    6. Are multifactor authentication options in use?
    7. Is an identity management system in place?
  • Dealing with Third Parties
    1. Do you ensure third parties have an incident response system in place?
    2. Is there a contract with indemnification obligations?
  • Risk Management
    1. Do you regularly audit/scan facilities to ensure compliance with security landmarks?
    2. Are there minimum annual audits?
    3. Is someone responsible for risk assessment?
    4. Do your windows on the world, such as websites, look vulnerable or hardened?


A post-intrusion plan should be in place well in advance of any incident. The response plan should be regularly reviewed and updated. The IOWA plan creates a business-smart strategy for coping with cyber intrusions before they become a problem.